WizardMerge/docs/CONTEXT_RISK_ANALYSIS.md

Context Analysis and Risk Analysis Features

Overview

WizardMerge now includes intelligent context analysis and risk assessment features for merge conflicts, as outlined in ROADMAP.md Phase 3 (AI-Assisted Merging).

Features

Context Analysis

Context analysis examines the code surrounding merge conflicts to provide better understanding of the changes.

Extracted Information:

• Function/Method Name: Identifies which function contains the conflict
• Class/Struct Name: Identifies which class contains the conflict
• Import/Include Statements: Lists dependencies at the top of the file
• Surrounding Lines: Provides configurable context window (default: 5 lines)

Supported Languages:

• C/C++
• Python
• JavaScript/TypeScript (enhanced with TypeScript-specific patterns)
• Java

TypeScript-Specific Features:

• Detects interfaces, types, and enums
• Recognizes arrow functions and async functions
• Identifies export statements
• Extracts type imports and re-exports

Risk Analysis

Risk analysis assesses different resolution strategies and provides recommendations.

Risk Levels:

• LOW: Safe to merge, minimal risk
• MEDIUM: Some risk, review recommended
• HIGH: High risk, careful review required
• CRITICAL: Critical risk, requires expert review

Resolution Strategies Analyzed:

1. Accept OURS: Use our version
2. Accept THEIRS: Use their version
3. Accept BOTH: Concatenate both versions

Risk Factors Detected:

• Large number of changes (>10 lines)
• Critical code patterns (delete, eval, system calls, security operations)
• API signature changes
• TypeScript interface/type definition changes
• TypeScript type safety bypasses (as any, @ts-ignore, @ts-nocheck)
• XSS vulnerabilities (dangerouslySetInnerHTML, innerHTML)
• Insecure storage of sensitive data
• Discarding significant changes from other branch

Package Lock File Handling:

• Detects package-lock.json, yarn.lock, pnpm-lock.yaml, and bun.lockb files
• Can be used to apply special merge strategies for dependency files

Provided Information:

• Risk level (low/medium/high/critical)
• Confidence score (0.0 to 1.0)
• List of risk factors
• Actionable recommendations

API Usage

HTTP API

When calling the /api/merge endpoint, conflict responses now include context and risk assessment fields:

{
  "merged": [...],
  "has_conflicts": true,
  "conflicts": [
    {
      "start_line": 5,
      "end_line": 5,
      "base_lines": ["..."],
      "our_lines": ["..."],
      "their_lines": ["..."],
      "context": {
        "function_name": "myFunction",
        "class_name": "MyClass",
        "imports": ["#include <iostream>", "import sys"]
      },
      "risk_ours": {
        "level": "low",
        "confidence_score": 0.65,
        "risk_factors": [],
        "recommendations": ["Changes appear safe to accept"]
      },
      "risk_theirs": {
        "level": "low",
        "confidence_score": 0.60,
        "risk_factors": [],
        "recommendations": ["Changes appear safe to accept"]
      },
      "risk_both": {
        "level": "medium",
        "confidence_score": 0.30,
        "risk_factors": [
          "Concatenating both versions may cause duplicates or conflicts"
        ],
        "recommendations": [
          "Manual review required - automatic concatenation is risky",
          "Consider merging logic manually instead of concatenating",
          "Test thoroughly for duplicate or conflicting code"
        ]
      }
    }
  ]
}

C++ API

#include "wizardmerge/merge/three_way_merge.h"
#include "wizardmerge/analysis/context_analyzer.h"
#include "wizardmerge/analysis/risk_analyzer.h"

using namespace wizardmerge::merge;
using namespace wizardmerge::analysis;

// Perform merge
auto result = three_way_merge(base, ours, theirs);

// Access analysis for each conflict
for (const auto& conflict : result.conflicts) {
    // Context information
    std::cout << "Function: " << conflict.context.function_name << std::endl;
    std::cout << "Class: " << conflict.context.class_name << std::endl;
    
    // Risk assessment for "ours"
    std::cout << "Risk (ours): " 
              << risk_level_to_string(conflict.risk_ours.level) 
              << std::endl;
    std::cout << "Confidence: " 
              << conflict.risk_ours.confidence_score 
              << std::endl;
    
    // Recommendations
    for (const auto& rec : conflict.risk_ours.recommendations) {
        std::cout << "  - " << rec << std::endl;
    }
}

Implementation Details

Context Analyzer

Header: backend/include/wizardmerge/analysis/context_analyzer.h
Implementation: backend/src/analysis/context_analyzer.cpp

Key functions:

• analyze_context(): Main analysis function
• extract_function_name(): Extract function/method name
• extract_class_name(): Extract class/struct name
• extract_imports(): Extract import statements

Risk Analyzer

Header: backend/include/wizardmerge/analysis/risk_analyzer.h
Implementation: backend/src/analysis/risk_analyzer.cpp

Key functions:

• analyze_risk_ours(): Assess risk of accepting ours
• analyze_risk_theirs(): Assess risk of accepting theirs
• analyze_risk_both(): Assess risk of concatenation
• contains_critical_patterns(): Detect security-critical code
• has_api_signature_changes(): Detect API changes
• has_typescript_interface_changes(): Detect TypeScript type definition changes
• is_package_lock_file(): Identify package lock files

TypeScript Support

The analyzers now include comprehensive TypeScript support:

Context Analyzer:

• Recognizes TypeScript function patterns (async, export, arrow functions)
• Detects TypeScript type structures (interface, type, enum)
• Extracts TypeScript imports (import type, export)

Risk Analyzer:

• Detects TypeScript-specific risks:
  • Type safety bypasses: as any, @ts-ignore, @ts-nocheck
  • React security issues: dangerouslySetInnerHTML
  • XSS vulnerabilities: innerHTML
  • Insecure storage: storing passwords in localStorage
• Identifies interface/type definition changes
• Recognizes package lock file conflicts

Example: TypeScript Interface Change Detection

std::vector<std::string> base = {
    "interface User {",
    "    name: string;",
    "}"
};
std::vector<std::string> modified = {
    "interface User {",
    "    name: string;",
    "    email: string;",
    "}"
};

if (has_typescript_interface_changes(base, modified)) {
    std::cout << "TypeScript interface changed!" << std::endl;
}

Example: Package Lock File Detection

std::string filename = "package-lock.json";
if (is_package_lock_file(filename)) {
    std::cout << "Applying special merge strategy for lock file" << std::endl;
}

Testing

Comprehensive test coverage with 46 unit tests:

• 13 tests for context analyzer (including 6 TypeScript tests)
• 16 tests for risk analyzer (including 7 TypeScript tests)
• 8 tests for three-way merge
• 9 tests for Git CLI

Run tests:

cd backend/build
./wizardmerge-tests

TypeScript-specific tests verify:

• Arrow function detection
• Interface, type, and enum extraction
• TypeScript import patterns
• Type definition change detection
• Critical pattern detection (as any, @ts-ignore, etc.)
• Package lock file identification

Security

All code has been scanned with CodeQL:

• 0 vulnerabilities found
• Safe for production use

Configuration

Risk analysis weights are configurable via constants in risk_analyzer.cpp:

• BASE_CONFIDENCE: Base confidence level (default: 0.5)
• SIMILARITY_WEIGHT: Weight for code similarity (default: 0.3)
• CHANGE_RATIO_WEIGHT: Weight for change ratio (default: 0.2)

Context analysis configuration:

• IMPORT_SCAN_LIMIT: Lines to scan for imports (default: 50)

Future Enhancements

Potential improvements outlined in ROADMAP.md:

• ML-based confidence scoring
• Language-specific pattern detection
• Integration with LSP for deeper semantic analysis
• Historical conflict resolution learning
• Custom risk factor rules

References

• ROADMAP.md: Phase 3, Section 3.1 (AI-Assisted Merging)
• Research Paper: docs/PAPER.md (dependency analysis methodology)